The Nsag infector story continues

Since we last reported on Nsag infectors, we’ve seen quite a lot of new malware related to Nsag.

There’s no real point in continuing to refer to this malware as Smitfraud, so we won’t.

Overall, the malware is the same old thing, but in slightly different clothing. Nsag.b infectors have taken the place of Nsag.a infectors. Although these new infectors aren’t really innovating, the Trojan-Downloaders that install these infectors are.

Most Trojan-Downloader.Win32.Zlob variants download numerous pieces of malware – most notably a Nsag.b infector and Trojan.Win32.Puper variants.

Zlob is interesting because of the technique it uses to download files.
It uses a new method to inject code into explorer.exe. This way it can download the malicious files without alerting the firewall.

It would seem that the creators are refining the way the Nsag infector gets introduced to the system rather then building new features into the infector itself.

This once again shows that the author(s) means business. This story is far from over.

The Nsag infector story continues

Your email address will not be published. Required fields are marked *



How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox